honor per-target tls/chase referrals/rebind as user (ITS#6190)

diff --git a/servers/slapd/back-meta/back-meta.h b/servers/slapd/back-meta/back-meta.h
index 3c0395200e3e62778174fb4f0f5945cf6f27a2ed..898b6f2c77670ae15654aebf62bc9e958911e728 100644 (file)
--- a/servers/slapd/back-meta/back-meta.h
+++ b/servers/slapd/back-meta/back-meta.h
@@ -301,6 +301,14 @@ typedef struct metatarget_t {
 #define        META_BACK_TGT_ISSET(mt,f)               ( ( (mt)->mt_flags & (f) ) == (f) )
 #define        META_BACK_TGT_ISMASK(mt,m,f)            ( ( (mt)->mt_flags & (m) ) == (f) )
 
+#define META_BACK_TGT_SAVECRED(mt)             META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_SAVECRED )
+
+#define META_BACK_TGT_USE_TLS(mt)              META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_USE_TLS )
+#define META_BACK_TGT_PROPAGATE_TLS(mt)                META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_PROPAGATE_TLS )
+#define META_BACK_TGT_TLS_CRITICAL(mt)         META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_TLS_CRITICAL )
+
+#define META_BACK_TGT_CHASE_REFERRALS(mt)      META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_CHASE_REFERRALS )
+
 #define        META_BACK_TGT_T_F(mt)                   META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_T_F_MASK, LDAP_BACK_F_T_F )
 #define        META_BACK_TGT_T_F_DISCOVER(mt)          META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_T_F_MASK2, LDAP_BACK_F_T_F_DISCOVER )
 

diff --git a/servers/slapd/back-meta/bind.c b/servers/slapd/back-meta/bind.c
index 3b3f520736d66623a7ccfb3d78abbd4992522e5f..9c972902520dec1a7795eee87886d1a7cfec8a34 100644 (file)
--- a/servers/slapd/back-meta/bind.c
+++ b/servers/slapd/back-meta/bind.c
@@ -538,7 +538,7 @@ meta_back_single_bind(
        LDAP_BACK_CONN_ISBOUND_SET( msc );
        mc->mc_authz_target = candidate;
 
-       if ( LDAP_BACK_SAVECRED( mi ) ) {
+       if ( META_BACK_TGT_SAVECRED( mt ) ) {
                if ( !BER_BVISNULL( &msc->msc_cred ) ) {
                        memset( msc->msc_cred.bv_val, 0,
                                msc->msc_cred.bv_len );
@@ -1539,7 +1539,7 @@ meta_back_proxy_authz_bind( metaconn_t *mc, int candidate, Operation *op, SlapRe
                                LDAP_BACK_CONN_ISBOUND_SET( msc );
                                ber_bvreplace( &msc->msc_bound_ndn, &binddn );
 
-                               if ( LDAP_BACK_SAVECRED( mi ) ) {
+                               if ( META_BACK_TGT_SAVECRED( mt ) ) {
                                        if ( !BER_BVISNULL( &msc->msc_cred ) ) {
                                                memset( msc->msc_cred.bv_val, 0,
                                                        msc->msc_cred.bv_len );

diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
index eb62e267591ae5b28e444c3385241ff9529afb6f..de6114dffa1e50eb37e52555152f6c232f07aecc 100644 (file)
--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@@ -640,6 +640,10 @@ meta_back_db_config(
                
        /* save bind creds for referral rebinds? */
        } else if ( strcasecmp( argv[ 0 ], "rebind-as-user" ) == 0 ) {
+               unsigned        *flagsp = mi->mi_ntargets ?
+                               &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
+                               : &mi->mi_flags;
+
                if ( argc > 2 ) {
                        Debug( LDAP_DEBUG_ANY,
        "%s: line %d: \"rebind-as-user {NO|yes}\" takes 1 argument.\n",
@@ -651,16 +655,16 @@ meta_back_db_config(
                        Debug( LDAP_DEBUG_ANY,
        "%s: line %d: deprecated use of \"rebind-as-user {FALSE|true}\" with no arguments.\n",
                            fname, lineno, 0 );
-                       mi->mi_flags |= LDAP_BACK_F_SAVECRED;
+                       *flagsp |= LDAP_BACK_F_SAVECRED;
 
                } else {
                        switch ( check_true_false( argv[ 1 ] ) ) {
                        case 0:
-                               mi->mi_flags &= ~LDAP_BACK_F_SAVECRED;
+                               *flagsp &= ~LDAP_BACK_F_SAVECRED;
                                break;
 
                        case 1:
-                               mi->mi_flags |= LDAP_BACK_F_SAVECRED;
+                               *flagsp |= LDAP_BACK_F_SAVECRED;
                                break;
 
                        default:

diff --git a/servers/slapd/back-meta/conn.c b/servers/slapd/back-meta/conn.c
index be59cd3ea890112002ceba3d350f4366110579a5..09f918956b9a6abcf016dc8406d94b0db47786ae 100644 (file)
--- a/servers/slapd/back-meta/conn.c
+++ b/servers/slapd/back-meta/conn.c
@@ -418,13 +418,13 @@ retry_lock:;
 
        /* automatically chase referrals ("chase-referrals [{yes|no}]" statement) */
        ldap_set_option( msc->msc_ld, LDAP_OPT_REFERRALS,
-               LDAP_BACK_CHASE_REFERRALS( mi ) ? LDAP_OPT_ON : LDAP_OPT_OFF );
+               META_BACK_TGT_CHASE_REFERRALS( mt ) ? LDAP_OPT_ON : LDAP_OPT_OFF );
 
 #ifdef HAVE_TLS
        /* start TLS ("tls [try-]{start|propagate}" statement) */
-       if ( ( LDAP_BACK_USE_TLS( mi )
+       if ( ( META_BACK_TGT_USE_TLS( mt )
                || ( op->o_conn->c_is_tls
-                       && LDAP_BACK_PROPAGATE_TLS( mi ) ) )
+                       && META_BACK_TGT_PROPAGATE_TLS( mt ) ) )
                && !is_ldaps )
        {
 #ifdef SLAP_STARTTLS_ASYNCHRONOUS
@@ -526,7 +526,7 @@ retry:;
                 * overlay, where the "uri" can be parsed out of a referral */
                if ( rs->sr_err == LDAP_SERVER_DOWN
                        || ( rs->sr_err != LDAP_SUCCESS
-                               && LDAP_BACK_TLS_CRITICAL( mi ) ) )
+                               && META_BACK_TGT_TLS_CRITICAL( mt ) ) )
                {
 
 #ifdef DEBUG_205

diff --git a/servers/slapd/back-meta/search.c b/servers/slapd/back-meta/search.c
index 171221421df2c7f5271f00914c72b2ea9e971c4c..c729ea29227f24302e4e5b41b55524c124e6b9a1 100644 (file)
--- a/servers/slapd/back-meta/search.c
+++ b/servers/slapd/back-meta/search.c
@@ -199,7 +199,7 @@ meta_search_dobind_init(
                 * because the connection is not shared until bind is over */
                if ( !BER_BVISNULL( &binddn ) ) {
                        ber_bvreplace( &msc->msc_bound_ndn, &binddn );
-                       if ( LDAP_BACK_SAVECRED( mi ) && !BER_BVISNULL( &cred ) ) {
+                       if ( META_BACK_TGT_SAVECRED( mt ) && !BER_BVISNULL( &cred ) ) {
                                if ( !BER_BVISNULL( &msc->msc_cred ) ) {
                                        memset( msc->msc_cred.bv_val, 0,
                                                msc->msc_cred.bv_len );